CIA security chief Dan Geer's five-point plan to fix the internet

Liam Tung

The security chief of the CIA’s non-profit investment arm says people should reclaim rights to safety and privacy that have been lost to spies, hackers, governments and corporations battling for internet dominance.

With earth soon to be blanketed in sensors in the ''internet of things'' age, Dan Geer fears the world is losing its ability to guarantee the security of technology and the privacy of individuals.

Weighing in on the data retention debate raging in Australia, Geer told IT Pro, citizens should demand they have control over the life of their data.

The Australian government is proposing laws to ensure the ''who, what where and when'' of internet communications and phone calls be retained by service providers, so spy agencies have access to information that may assist them in preventing terrorism or solving crimes.

According to Geer, data retention is “problematic” since the government needs some way of proving to citizens that data is actually deleted at the end of a proposed retention period. While mandating a retention period is straightforward, providing guarantees that data is not longer accessible after it expires is not.

"If you can't give me assured deletion, why should I not assume that it's being stored permanently?" he asked.

One way of guaranteeing this would be to cryptographically lockdown stored data using a system that requires two keys to unlock. Citizens should hold one of the keys and could throw it away when the retention period expires.

Essentially, people need to be given more control over data captured about them and the right to delete it.

Besides phone calls and web surfing, people’s so-called “digital exhaust” will grow with emerging technologies, such as smart meters and electronic sensors that can be used to paint an intimate picture of a person’s private life.

“What do we do when the definition of observable, hence recordable and probably recorded [data] changes so fast? The answer seems to be either you say 'you can’t record it', or you have a right to ask for it to be removed.”

2. Governments should buy all software bugs

Hackers today can use security flaws in home routers and software to attack critical infrastructure. The world needs a way to remediate these flaws faster to prevent them.

Geer said it would be feasible for the US government to buy every new software flaw found, simply by offering people who find them an amount ten-times above the highest bid. The government must also be compelled to share that knowledge with affected vendors so they can fix their product. The proposal would change the current state of affairs, where bug-hunting hackers profit by selling them to the highest bidder, whether they are a criminal gang or spy agency.

3. Force software vendors to open source when they kill support

Software makers need to whipped into line, according to Geer. If companies like Microsoft stop supplying security updates for a product, such as it recently did with Windows XP, it should be forced to make it open source so that others can build fixes. This is necessary, because unsupported software still contains unknown holes that can be exploited.

“Would the public interest not be served by a conversion to open source for abandoned code bases? I believe it would,” he said.

4. Hold software vendors to account for faulty products

Governments should impose the same liability on software vendors for damage caused by their products as makers of physical products, like cars and chainsaws.

“The only two products not covered by product liability today are religion and software, and software should not escape for much longer,” he said.

Cyber security failures and data breaches should also follow the model of disease control, where communicable diseases must be reported to the US Centre for Disease Control. It should be mandatory for a certain severity threshold, he said.

5. Give ''internet of thing'' devices a fixed lifetime

The world needs an answer to the 50 billion small devices containing difficult-to-patch embedded systems that are forecast to be plastered across the earth by 2020. Since these are designed to interact with the physical world, they could pose a serious threat if not managed properly.

According to Geer, they either should be required to have a remote management interface to maintain them — which many do not today, making security updates impossible. In the absence of a management interface, they should be “designed as to be certain to die” after a fixed time. This would help prevent unsupported devices becoming an zombie army, used by malicious attackers to inflict harm on people, business and governments.

7 comments so far

These are all logical arguments, If only the government took this issue more seriously.

Commenter

dk

Date and time

August 11, 2014, 1:48PM

They don't even understand the issue with data retention, let alone the internet. Get the feeling this is just the tip of an iceberg?

Commenter

mutt

Date and time

August 11, 2014, 4:19PM

That and the fact that the CIA obviously has a vested interest in maintaining an ability to remain below the usual radar of scrutiny. Something that's becoming increasingly difficult under today's current technical arena.

Commenter

Nicolas

Date and time

August 11, 2014, 8:56PM

I hope George is reading.

Commenter

A country gal

Date and time

August 11, 2014, 2:24PM

Fairly sure the likes of Microsoft will squeal at the open source suggestion - especially since it's likely their "abandoned" code bases are probably carried forward to the newer incarnations. Rent seekers are lining up now...

Commenter

MerriD

Date and time

August 11, 2014, 3:04PM

This "Internet of Things" is fully dawning on us, but we are most unprepared.In a cyber world as unsecured and vulnerable as ours, this is truly a frightening proposition...

Commenter

Neo

Location

The Matrix

Date and time

August 11, 2014, 3:55PM

ok here is what i did last night...i signed up with mygov...i had to to change some family tax estimates.....you have to do that online as the letter in the post said i had to.....i know am a fool to do this but we dont have a choice....i felt like i left the front door open to my house....what option do we have?

Subscribe to IT Pro

Follow Us

Editor's Choice

Prime Minister Tony Abbott has bolstered Malcolm Turnbull's ministerial duties, handing him greater responsibility for e-government in a push to expand the use of a single digital identity for Australians.

Data

The new roof that spans Margaret Court arena does more than keep out the weather. Built into the gantries that surround the sliding ceiling are Wi-Fi antennas that beam web access to every ticket holder.